Skip to main content
Enterprise Security|SOC Analyst / Security Operations

SOC Alert Enrichment

Automate threat intelligence lookups for security alerts

Security analysts spend significant time manually researching IPs and domains in alerts. EdgeDNS automates this enrichment to accelerate investigation and response.

The Challenge

Security Operations Centers receive thousands of alerts daily. Each alert requires context: Who owns this IP? Is this domain legitimate? When was it registered? Manual lookups across multiple tools slow down investigation and response times, allowing threats to persist longer.

The Solution

Integrate EdgeDNS with your SIEM or SOAR platform to automatically enrich alerts with threat context. Get instant information about IP geolocation, ASN ownership, domain registration, and trust scores to prioritize and investigate alerts faster.

Endpoints Used

Combine these EdgeDNS endpoints to build this solution.

GET
/v1/ip/geolocationTry in Playground

IP Geolocation: Identify IP location, ISP, and hosting provider

GET
/v1/network/asnTry in Playground

ASN Lookup: Get autonomous system information and ownership

GET
/v1/domain/whoisTry in Playground

WHOIS Lookup: Check domain registration date and registrant info

GET
/v1/score/trustTry in Playground

Trust Score: Assess domain/IP reputation and risk level

GET
/v1/ip/reverseTry in Playground

Reverse DNS: Resolve IP to hostname via PTR records

Results You Can Achieve

Sub-second IOC enrichment

Domain, IP, and certificate context returned in one API call — typically faster than analyst-driven manual lookup, which can run minutes per indicator.

Composite trust score per indicator

Reputation, age, threat-feed presence, and infrastructure context combine into a single triage score for SIEM/SOAR routing rules.

Scale to thousands of indicators per analyst

Batch enrichment handles SIEM-fed indicator lists without queueing — capacity scales with API tier, not analyst count.

Code Example

Enrich security alert with threat context

javascript
async function enrichAlert(alert) {
  const headers = { 'Authorization': 'Bearer YOUR_API_KEY' };
  const enrichments = {};

  // Enrich IP indicators
  if (alert.sourceIP) {
    const [geo, asn, trust] = await Promise.all([
      fetch(`https://api.edgedns.dev/v1/ip/geolocation?ip=${alert.sourceIP}`, { headers }),
      fetch(`https://api.edgedns.dev/v1/network/asn?ip=${alert.sourceIP}`, { headers }),
      fetch(`https://api.edgedns.dev/v1/score/trust?ip=${alert.sourceIP}`, { headers }),
    ].map(p => p.then(r => r.json())));

    enrichments.sourceIP = {
      country: geo.data.country,
      organization: asn.data.organization,
      trustScore: trust.data.score,
      riskLevel: trust.data.risk_level
    };
  }

  // Enrich domain indicators
  if (alert.domain) {
    const [whois, trust] = await Promise.all([
      fetch(`https://api.edgedns.dev/v1/domain/whois?domain=${alert.domain}`, { headers }),
      fetch(`https://api.edgedns.dev/v1/score/trust?domain=${alert.domain}`, { headers }),
    ].map(p => p.then(r => r.json())));

    enrichments.domain = {
      registrationDate: whois.data.created_date,
      domainAge: whois.data.domain_age_days,
      trustScore: trust.data.score
    };
  }

  return { ...alert, enrichments };
}

Learn More

Explore industry standards and best practices related to this use case.

MITRE ATT&CK Framework

Knowledge base of adversary tactics and techniques

SANS SOC Metrics

Best practices for Security Operations Centers

Ready to build SOC Alert Enrichment?

Get started with 200 free API requests per month. No credit card required.

Get Started FreeTry the Playground

Other Use Cases

Email Marketing / DevOps

Email Deliverability Monitoring

Improve inbox placement with proactive email authentication monitoring

Security Engineer / Compliance Officer

Security Compliance Auditing

Automate security posture assessments for SOC 2 and ISO 27001